• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 962
  • Last Modified:

After upgrade to 2008 (CertEnroll) Stand-alone CA, web browing certs work on XP, not 7

I am managing a web application that uses digital certificates to identify end-users over the internet for access to the app.  We were using Server 2003 R2 x86, but got tired of installing certs manually for Windows 7.

Having a few extra licenses of Server available, I cloned the existing app server (which is the CA too), changed its product key, and upgraded that to 2008 x32 (R2 only x64 :( ).  After sorting out some minor problems (including having to publish a new CRL), I can get XP clients to work normally.  However, 7 clients using the same web enrollment get the root and client certificates but cannot access the site.  Error is "page requires client certificate (403.7)".

The root and client certificates are there, but the key usage on the client cert is only "Key Encipherment (20)".  On XP clients, the key usage is "Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment (f0)".

Any guidance would be appreciated!  Thanks, Tom.

0
tboncher
Asked:
tboncher
  • 3
  • 2
1 Solution
 
David Johnson, CD, MVPOwnerCommented:
if you are using self signed certificate authority then that is the root of the problem as the cert's are now different.. you will have to revoke the older certs and push out new ones..
0
 
tboncherAuthor Commented:
Ugh.  We are talking about a few hundred over dozens of customers at sites across the country.  Do you know of documentatiuon of this issue?  Thanks!
0
 
tboncherAuthor Commented:
Sorry, I did not positively confirm - yes, we are usiing a self-signed CA.
0
 
David Johnson, CD, MVPOwnerCommented:
you might try this:  

      Go to the certsrv directory - probably http://localhost/certsrv/
     Click "Request a Certificate"
      Click "advanced certificate request"  
     Click "Create and submit a request to this CA"
     Fill out the form, etc..
 
      From this point forward its the same as any other certificate.
0
 
tboncherAuthor Commented:
I would agree that this method should work.  However, it is not very user friendly to my end-users who, on average, are not very technical.  Therefore, I am going to keep trying to find a way to get the normal way to work - such as having a second parallel web site that references a new certificate store - maybe on a second server instance, etc.  Thanks, Tom.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now